How To Host a Website Using Cloudflare and Nginx on Ubuntu 16.04

Introduction

Cloudflare is a service that sits between the visitor and the website owner's server, acting as a reverse proxy for websites. Cloudflare provides a Content Delivery Network (CDN), as well as DDoS mitigation and distributed domain name server services.

Nginx is a popular web server responsible for hosting some of the largest and highest-traffic sites on the internet. It's common for organizations to serve websites with Nginx and use Cloudflare as a CDN and DNS provider.

In this tutorial you will secure your website served by Nginx with an Origin CA certificate from Cloudflare and configure Nginx to use authenticated pull requests. The advantages of using this setup are that you benefit from Cloudflare's CDN and fast DNS resolution while ensuring that all connections pass through Cloudflare. This prevents any malicious requests from reaching your server.

Step 1 — Generating an Origin CA TLS Certificate

The Cloudflare Origin CA lets you generate a free TLS certificate signed by Cloudflare to install on your Nginx server. By using the Cloudflare generated TLS certificate you can secure the connection between Cloudflare's servers and your Nginx server.

To generate a certificate with Origin CA, navigate to the Crypto section of your Cloudflare dashboard. From there, click on the Create Certificate button in the Origin Certificates section:

Leave the default option of Let CloudFlare generate a private key and a CSR selected.

Click Next and you will see a dialog with the Origin Certificate and Private key. You need to transfer both the origin certificate and private key from CloudFlare to your server.

We'll use the /etc/ssl/certs directory on the server to hold the origin certificate. The /etc/ssl/private directory will hold the private key file. Both folders already exist on the server.

First, copy the contents of the Origin Certificate displayed in the dialog box in your browser.

Then, on your server, open /etc/ssl/certs/cert.pem for editing:

sudo nano /etc/ssl/certs/cert.pem

Paste the certificate contents into the file. Then save and exit the editor.

Then return to your browser and copy the contents of the Private key. Open the file /etc/ssl/private/key.pem for editing:

sudo nano /etc/ssl/private/key.pem

Paste the key into the file, save the file, and exit the editor.

Warning: Cloudflare's Origin CA Certificate is only trusted by Cloudflare and therefore should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin CA certificate will throw an untrusted certificate error.

Now that you copied the key and certificate files to your server, you need to update the Nginx configuration to use them.

Step 2 — Installing the Origin CA certificate in Nginx

In the previous section, you generated an origin certificate and private key using Cloudlfare's dashboard and saved the files to your server. Now you'll update the Nginx configuration for your site to use the origin certificate and private key to secure the connection between Cloudflare's servers and your server.

Nginx creates a default server block during installation. Remove it if it exists, as you've already configured a custom server block for your domain:

Next, test to make sure that there are no syntax errors in any of your Nginx configuration files:

sudo nginx -t

If no problems were found, restart Nginx to enable your changes:

sudo systemctl restart nginx

Now go to the Cloudflare dashboard's Crypto section and change SSL mode to Full. This informs Cloudflare to always encrypt the connection between Cloudflare and your origin Nginx server.

Now visit your website at https://example.com to verify that it's set up properly. You'll see your home page displayed, and the browser will report that the site is secure.

In the next section, you will set up Authenticated Origin Pulls to verify that your origin server is indeed talking to Cloudflare and not some other server. By doing so, Nginx will be configured to only accept requests which use a valid client certificate from Cloudflare and requests which have not passed through CloudFlare will be dropped.

Step 3 — Setting Up Authenticated Origin Pulls

The Origin CA certificate will help Cloudflare verify that it is talking to the correct origin server. But how can your origin Nginx server verify that it is actually talking to Cloudflare? Enter TLS Client Authentication.

In a client authenticated TLS handshake, both sides provide a certificate to be verified. The origin server is configured to only accept requests that use a valid client certificate from Cloudflare. Requests which have not passed through Cloudflare will be dropped as they will not have Cloudflare's certificate. This means that attackers cannot circumvent Cloudflare's security measures and directly connect to your Nginx server.

Cloudflare presents certificates signed by a CA with the following certificate:

Next, test to make sure that there are no syntax errors in your Nginx configuration.

sudo nginx -t

If no problems were found, restart Nginx to enable your changes:

sudo systemctl restart nginx

Finally, to enable Authenticated Pulls, open the Crypto section in the Cloudflare dashboard and toggle the Authenticated Origin Pulls option .

Now visit your website at https://example.com to verify that it was set up properly. As before, you'll see your home page displayed.

To verify that your server will only accept requests signed by Cloudflare's CA, toggle the Authenticated Origin Pulls option to disable it and then reload your website. You should get the following error message :

Your origin server raises an error if a request is not signed by Cloudflare's CA.

Now that you know it works properly, return to the Crypto section in the Cloudflare dashboard and toggle the Authenticated Origin Pulls option again to enable it.

Conclusion

In this tutorial you secured your Nginx-powered website by encrypting traffic between Cloudflare and the Nginx server using an Origin CA certificate from Cloudflare. You then set up Authenticated Origin Pulls on the Nginx server to ensure that it only accepts requests from Cloudflare's servers, preventing anyone else from directly connecting to the Nginx server.